Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
ad7a5d13335355b29d8ea0f3f2878aa4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ad7a5d13335355b29d8ea0f3f2878aa4.exe
Resource
win10v2004-20231222-en
General
-
Target
ad7a5d13335355b29d8ea0f3f2878aa4.exe
-
Size
512KB
-
MD5
ad7a5d13335355b29d8ea0f3f2878aa4
-
SHA1
153204300260657de1724b4f6571724d8c49a17e
-
SHA256
b262b9df3885d2b65839220bf0ff28ac8f889859fd056371a8435c31e84d2f7c
-
SHA512
9cdc38bde5ecf397192b3e2190b677b33b9f8ca42f9e24b9d5eda4366f88460c7c23e8c7d2a4690f7097bcfbbe3f91258f094ec48ff72590a2fed8119d7fc2d1
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6R:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gqzqinqdqd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gqzqinqdqd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gqzqinqdqd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gqzqinqdqd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation ad7a5d13335355b29d8ea0f3f2878aa4.exe -
Executes dropped EXE 5 IoCs
pid Process 3752 gqzqinqdqd.exe 8 wcnbisjoosnvjok.exe 212 tmizluxt.exe 5028 wsvqayhbxpmrs.exe 3636 tmizluxt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gqzqinqdqd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lhzxvpnp = "gqzqinqdqd.exe" wcnbisjoosnvjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwwhhugt = "wcnbisjoosnvjok.exe" wcnbisjoosnvjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wsvqayhbxpmrs.exe" wcnbisjoosnvjok.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: tmizluxt.exe File opened (read-only) \??\q: gqzqinqdqd.exe File opened (read-only) \??\t: gqzqinqdqd.exe File opened (read-only) \??\i: tmizluxt.exe File opened (read-only) \??\l: tmizluxt.exe File opened (read-only) \??\o: tmizluxt.exe File opened (read-only) \??\w: gqzqinqdqd.exe File opened (read-only) \??\b: tmizluxt.exe File opened (read-only) \??\w: tmizluxt.exe File opened (read-only) \??\i: gqzqinqdqd.exe File opened (read-only) \??\m: gqzqinqdqd.exe File opened (read-only) \??\a: tmizluxt.exe File opened (read-only) \??\n: tmizluxt.exe File opened (read-only) \??\x: tmizluxt.exe File opened (read-only) \??\t: tmizluxt.exe File opened (read-only) \??\h: gqzqinqdqd.exe File opened (read-only) \??\y: gqzqinqdqd.exe File opened (read-only) \??\k: tmizluxt.exe File opened (read-only) \??\z: tmizluxt.exe File opened (read-only) \??\u: gqzqinqdqd.exe File opened (read-only) \??\l: tmizluxt.exe File opened (read-only) \??\o: tmizluxt.exe File opened (read-only) \??\y: tmizluxt.exe File opened (read-only) \??\j: tmizluxt.exe File opened (read-only) \??\t: tmizluxt.exe File opened (read-only) \??\x: tmizluxt.exe File opened (read-only) \??\i: tmizluxt.exe File opened (read-only) \??\b: tmizluxt.exe File opened (read-only) \??\j: gqzqinqdqd.exe File opened (read-only) \??\o: gqzqinqdqd.exe File opened (read-only) \??\v: tmizluxt.exe File opened (read-only) \??\y: tmizluxt.exe File opened (read-only) \??\g: gqzqinqdqd.exe File opened (read-only) \??\n: gqzqinqdqd.exe File opened (read-only) \??\r: gqzqinqdqd.exe File opened (read-only) \??\e: tmizluxt.exe File opened (read-only) \??\g: tmizluxt.exe File opened (read-only) \??\u: tmizluxt.exe File opened (read-only) \??\s: gqzqinqdqd.exe File opened (read-only) \??\g: tmizluxt.exe File opened (read-only) \??\q: tmizluxt.exe File opened (read-only) \??\p: tmizluxt.exe File opened (read-only) \??\j: tmizluxt.exe File opened (read-only) \??\k: gqzqinqdqd.exe File opened (read-only) \??\p: gqzqinqdqd.exe File opened (read-only) \??\r: tmizluxt.exe File opened (read-only) \??\s: tmizluxt.exe File opened (read-only) \??\a: gqzqinqdqd.exe File opened (read-only) \??\e: gqzqinqdqd.exe File opened (read-only) \??\z: tmizluxt.exe File opened (read-only) \??\b: gqzqinqdqd.exe File opened (read-only) \??\l: gqzqinqdqd.exe File opened (read-only) \??\w: tmizluxt.exe File opened (read-only) \??\s: tmizluxt.exe File opened (read-only) \??\r: tmizluxt.exe File opened (read-only) \??\n: tmizluxt.exe File opened (read-only) \??\u: tmizluxt.exe File opened (read-only) \??\x: gqzqinqdqd.exe File opened (read-only) \??\z: gqzqinqdqd.exe File opened (read-only) \??\a: tmizluxt.exe File opened (read-only) \??\e: tmizluxt.exe File opened (read-only) \??\v: tmizluxt.exe File opened (read-only) \??\p: tmizluxt.exe File opened (read-only) \??\h: tmizluxt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gqzqinqdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gqzqinqdqd.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4608-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231f9-5.dat autoit_exe behavioral2/files/0x00070000000231fc-28.dat autoit_exe behavioral2/files/0x000600000001e5df-19.dat autoit_exe behavioral2/files/0x0006000000023201-32.dat autoit_exe behavioral2/files/0x00070000000231fc-29.dat autoit_exe behavioral2/files/0x0006000000023201-31.dat autoit_exe behavioral2/files/0x00070000000231f9-23.dat autoit_exe behavioral2/files/0x00070000000231f9-22.dat autoit_exe behavioral2/files/0x000600000001e5df-18.dat autoit_exe behavioral2/files/0x00070000000231fc-43.dat autoit_exe behavioral2/files/0x000600000002320e-75.dat autoit_exe behavioral2/files/0x000600000002320d-72.dat autoit_exe behavioral2/files/0x00050000000228cb-85.dat autoit_exe behavioral2/files/0x00050000000228cb-102.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gqzqinqdqd.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File created C:\Windows\SysWOW64\wcnbisjoosnvjok.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File created C:\Windows\SysWOW64\tmizluxt.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File created C:\Windows\SysWOW64\wsvqayhbxpmrs.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gqzqinqdqd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tmizluxt.exe File created C:\Windows\SysWOW64\gqzqinqdqd.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification C:\Windows\SysWOW64\wcnbisjoosnvjok.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification C:\Windows\SysWOW64\tmizluxt.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification C:\Windows\SysWOW64\wsvqayhbxpmrs.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tmizluxt.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tmizluxt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tmizluxt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tmizluxt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tmizluxt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tmizluxt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tmizluxt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tmizluxt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tmizluxt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tmizluxt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tmizluxt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tmizluxt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tmizluxt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tmizluxt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tmizluxt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tmizluxt.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tmizluxt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tmizluxt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tmizluxt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tmizluxt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification C:\Windows\mydoc.rtf ad7a5d13335355b29d8ea0f3f2878aa4.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tmizluxt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tmizluxt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tmizluxt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tmizluxt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gqzqinqdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gqzqinqdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gqzqinqdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D799D2382276A3576A577272CDA7C8F64DD" ad7a5d13335355b29d8ea0f3f2878aa4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gqzqinqdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFF4F2682699140D62E7D9DBDEFE643584767336245D6EE" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BC4FF6E22D0D109D1D58A0C906A" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C70F14E5DAB3B8CC7FE1EDE037CD" ad7a5d13335355b29d8ea0f3f2878aa4.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings ad7a5d13335355b29d8ea0f3f2878aa4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gqzqinqdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FACEF963F1E083793A4286EA39E5B080038C4366023FE1C442EF08A1" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B15C47E738E853B9B9D7339DD4BB" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gqzqinqdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gqzqinqdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gqzqinqdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gqzqinqdqd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ad7a5d13335355b29d8ea0f3f2878aa4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gqzqinqdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gqzqinqdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gqzqinqdqd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4308 WINWORD.EXE 4308 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 212 tmizluxt.exe 212 tmizluxt.exe 212 tmizluxt.exe 212 tmizluxt.exe 212 tmizluxt.exe 212 tmizluxt.exe 212 tmizluxt.exe 212 tmizluxt.exe 3752 gqzqinqdqd.exe 3752 gqzqinqdqd.exe 3752 gqzqinqdqd.exe 3752 gqzqinqdqd.exe 3752 gqzqinqdqd.exe 3752 gqzqinqdqd.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 3752 gqzqinqdqd.exe 3752 gqzqinqdqd.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 3752 gqzqinqdqd.exe 3752 gqzqinqdqd.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 5028 wsvqayhbxpmrs.exe 3636 tmizluxt.exe 3636 tmizluxt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 3752 gqzqinqdqd.exe 212 tmizluxt.exe 5028 wsvqayhbxpmrs.exe 3752 gqzqinqdqd.exe 212 tmizluxt.exe 5028 wsvqayhbxpmrs.exe 3752 gqzqinqdqd.exe 212 tmizluxt.exe 5028 wsvqayhbxpmrs.exe 3636 tmizluxt.exe 3636 tmizluxt.exe 3636 tmizluxt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 8 wcnbisjoosnvjok.exe 3752 gqzqinqdqd.exe 212 tmizluxt.exe 5028 wsvqayhbxpmrs.exe 3752 gqzqinqdqd.exe 212 tmizluxt.exe 5028 wsvqayhbxpmrs.exe 3752 gqzqinqdqd.exe 212 tmizluxt.exe 5028 wsvqayhbxpmrs.exe 3636 tmizluxt.exe 3636 tmizluxt.exe 3636 tmizluxt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4308 WINWORD.EXE 4308 WINWORD.EXE 4308 WINWORD.EXE 4308 WINWORD.EXE 4308 WINWORD.EXE 4308 WINWORD.EXE 4308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4608 wrote to memory of 3752 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 53 PID 4608 wrote to memory of 3752 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 53 PID 4608 wrote to memory of 3752 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 53 PID 4608 wrote to memory of 8 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 52 PID 4608 wrote to memory of 8 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 52 PID 4608 wrote to memory of 8 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 52 PID 4608 wrote to memory of 212 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 51 PID 4608 wrote to memory of 212 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 51 PID 4608 wrote to memory of 212 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 51 PID 4608 wrote to memory of 5028 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 50 PID 4608 wrote to memory of 5028 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 50 PID 4608 wrote to memory of 5028 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 50 PID 4608 wrote to memory of 4308 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 59 PID 4608 wrote to memory of 4308 4608 ad7a5d13335355b29d8ea0f3f2878aa4.exe 59 PID 3752 wrote to memory of 3636 3752 gqzqinqdqd.exe 61 PID 3752 wrote to memory of 3636 3752 gqzqinqdqd.exe 61 PID 3752 wrote to memory of 3636 3752 gqzqinqdqd.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\wsvqayhbxpmrs.exewsvqayhbxpmrs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5028
-
-
C:\Windows\SysWOW64\tmizluxt.exetmizluxt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:212
-
-
C:\Windows\SysWOW64\wcnbisjoosnvjok.exewcnbisjoosnvjok.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8
-
-
C:\Windows\SysWOW64\gqzqinqdqd.exegqzqinqdqd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\tmizluxt.exeC:\Windows\system32\tmizluxt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4308
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD506b21831e7f153584f88f6c49ae83c42
SHA1697366a81093018b1cd861e2c8390836edfe1522
SHA256029acd9f552105643b3921afa539ff77e926f86fbb7886577a75d9eae95db34d
SHA512f2362ee5f4ca9d0c54d319a9505e0c5d9db1155243d78a6682165c1db278c043f33cded461510f9b3adbcb778b7ff649870b9705b3f6c251f277157e5a504920
-
Filesize
88KB
MD5e7f8ba74bf765e4816d5481f44a20956
SHA15a48a0e9a7ff8140bfdcc56847606ce44617d878
SHA2569a8037de165e021945190de6041275d1a7b6bdc31843abc74908c59514346a8e
SHA51234fb0e9ad423010910aca5881307ddd2a49ff6354223d432d33fbf2ae6a182a55a008b5e9c5d6c54d07cedc2de283259eced7813dc190fb81f04ecb8fe0fd6c5
-
Filesize
239B
MD50d3ca1b030b66a9a9d3347648e862c61
SHA17e0ac945558db2b7a432a8baa5de317fb08da232
SHA25614247b5171279803a5ebeae38549f0a645eb6c636efdeb8e59803465590480df
SHA51264b179ba6c60857ee08ac9fcb06f459e33c54da1bb5a78c8ba5e8c82afbf23b897d8edead7ac7fbdbf87f0ce2b1ba788c8ab0fcb49f86b47d9cb7ae126f14eba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f98aa6545f61acfea1ff51e03055294b
SHA1ad1d5b5e8ceea107b8217166128e94bd5eb56089
SHA2569c4e046fae8dffe572a154cf3680f6e77ad8356163fac698fef489b8275662b1
SHA5129cc6ca8667b3c5c9103b94b5bf65feb26b2a46df28ca8ed18cf69e3784033d1d101208c364ee7a8635be579445b5ca4581e912ae494447c21ced73130de67046
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD539fd004f36123d1c4e277dcd60fcc066
SHA1372481e709dc6c74a2504e086ac81b15ac00f529
SHA256296434fe654792d6e726f5cf0094b36a321a6f3ded5ac186eb421efbe83d75e6
SHA512843eba54e088cb5ba541b18dc3d46ea65283a7fa2cd34734b16d7ad00225e64be8325aef566fc87808c10ed761b20cea5761e0f279ae423982f459b6a3b8cecc
-
Filesize
72KB
MD5920164e5b160245e79a61f6b9e62cef2
SHA1b004182805dea580c40f265ce05650044225d2e4
SHA2564320304e7f344da51dde1351a9d9572cca81ff9a9e6c1ed1b017b332f3dbc628
SHA51201b8ab75a2f798b6f5fbb30ceb3b764495523db7e679bac75f69bb95f89af820f081c2afcb534c92332d57c7b456ba0254101152e8266199b4fd5ffacc8e474b
-
Filesize
117KB
MD523b9521bc7d24842b495cf21baa29ce1
SHA18fba18fb506f4473b592eb64bc54ce00b4814ae3
SHA2569c2c80312516456f9813ae48b4e02882649d7683082439a684e95fc10dfc469d
SHA5122fa7ef0f7e8f85e3dd9ae8481ab870679e2a7a3adfb1e6a98f84802f876e87f45cacf445520e68db356c92a4f1f599a21cbd0ef95a82ced671bfe688b0ee07a6
-
Filesize
19KB
MD549ff501769e0763bf27ac6b86847a48c
SHA103133238b46fafec5adcf0c5e7612bb3d2312634
SHA2562027382551f9760f62a64aea68cf2ae4171c64d212fa26c9df26161e6f577316
SHA5122686adda404f3712300f5757002339337f0179cea4871a1cc68be780f511f5a8e1db4c8a49f146f49dc75f82039ae32ca84c622a79ccf49259984d0da0887e51
-
Filesize
24KB
MD5e23e0550840d3bbce4238a85ff66dd66
SHA1826dc4d5047fb831b5ceac6830e81a9971198a99
SHA2568743b2f7e4049b0fc704e22b4c7877fd8d79c8adc08258797d3038c37996a627
SHA512e0b7520af70591a6e6c0f5bc9e65e768167c5e4db67879e7d13a6e91143f7fd90518e4e80c35d0fa51e8f6f1733930d9e831bb1ec98be6d94f8ac5b0d226be28
-
Filesize
216KB
MD5ac7119d98479f01c9bfe7b2b4f33d2b4
SHA1f1e198049f8406e78379ced8bfa510f01043787c
SHA256538493e3081dcaaaa92c8fc1c1a0fab136be1a28f367de7517a35bf56f7efd76
SHA512677a48220e228e38b969ce9199b463bdcc5e4518b2203efad8e37642b490136b7332bb038168eead4aa199ead874dbb7dcc14c56d178ebce518c30609c1162ed
-
Filesize
33KB
MD57df8c5256d041bc939000603dd2d4aa1
SHA1ca5355e49fa68db316b2cc5acc270c0c88ac1101
SHA256aaf77108da1e0277d837bb17ae1cc0b175e3d1fccebf03044fda325d38625c4e
SHA512720f1111b5d8de914045b35560f2abcd6fd454afb97ea931864bb29032eaa13ba7f53c05ed88694e7f46be128343d21a3a6dc85ba41ea00434a9158cb60d31e8
-
Filesize
45KB
MD5d8206d952223cf2581d9b27731c7e9ff
SHA1f496c3ca153a7d338ffbcd8c2f425bc48b880216
SHA256be3ce9ac67ab9f3fffd9de9100cc8a13c2fe32c5332bd5318f2bbdf65ba7c4a3
SHA512dbacc4a8ca8cf845cd7df65531f46d3d5d78077d7a18a26a5be41cf0d16bd3d23a623ded82af87bbeb7588047f4764a0d134c1c8e47aa142c64f5e338e0e10e2
-
Filesize
78KB
MD55cb9230da110fa40798b4c745185b376
SHA181cecf80440a75643fc7b79dd29062b6d87c138e
SHA256bbfd13a69c3b8eaa59658025f20bc740d79cf60773df77320ccfc25ead13e826
SHA5123dd5fa868b484df93a97b9d719f253efa9f492edbfd2615f93696fb6c8d70ef5e024a76c08268178b3546dc7e4a2ba8992392226e299643898a9c9fb1031091e
-
Filesize
19KB
MD5beb3abfe318fd7224bd4d8ead9a0ad14
SHA12b62646cda6363ffec037a4b9aea8045c98918ca
SHA256be495a5a52d43289b3ffbd937983917e561fed7ffefcaa8388e938bbbc9ca72b
SHA512f57674b423dc85cec783bc4d8e4d46e265a8926413174160566fad15b3f178e26d724922a1e4eac235926e0e6620b66642197829258eb17108cf9c2226e1cc90
-
Filesize
27KB
MD531a44be1dd2f6f33477eb77af28ca476
SHA16f74d00cad5bd7c68206d73278070862cfda4c27
SHA25627cc229d6ae60d4cd48eb1d8627480c62213359344ea81f4a39a8fc54af1e11f
SHA512c049b43c96632ecbbe2f82c78f636c84fbb556fe203dfe28ad509bc4e5aebe8b326b1bf53a2638b83f692bd241d895da4de297546ef287ea6aa7091514409369
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
76KB
MD509bfd16bd48ef769f36d3c57617fb946
SHA15a357dd0ebe77d9eaaee8673022a4d6eb85a0cdb
SHA2569b75f7d4a47240af78ce5edc68df43855f78b2d055ec248c119916a02a13d763
SHA5128f5d35220c8b612ad71bb81fac5539f27ac5ad594201e2420bb2968bb42d69338fffc018444165afef59e32668cf9dd955b69c761d4dd1e127b0efec295d891d
-
Filesize
105KB
MD5c3ad4835de910c0aab181460cb979f43
SHA149923075ba2410e2bbb65a1ba02bd6bc42df1215
SHA256b11f31e13cae8c56e6b6436fdbfb16eb1ca315c56f8ee1ce49d9e58da11345ee
SHA512fef3804301559e148604ea0267ec85d5aff6d10281844d599f7538d9c7ed2d0aeee569be2eb54b1148a66df3703d25b11296ee884e3170151b6be0dd9123655a